The scope is:
https://www.googleapis.com/auth/drive
The other is the URL that you can make API requests to, it is not a scope.
Ok I got it.
The answer can be found here: https://developers.google.com/accounts/docs/OAuth2WebServer#offline
First You have to make an Auth request
<form method="POST" action="https://accounts.google.com/o/oauth2/auth">
<input type="hidden" name="scope" value="[YOUR SCOPE]"/>
<input type="hidden" name="client_id" value="[YOUR CLIENT ID]"/>
<input type="hidden" name="response_type" value="code"/>
<input type="hidden" name="redirect_uri" value="[YOUR RETURN URL]"/>
<input type="hidden" name="access_type" value="offline"/>
<input type="submit"/>
</form>
Then you will get a 'code' to your return_url
Then you need to exchange the code to access_token and refresh_token
<form method="POST" action="https://accounts.google.com/o/oauth2/token">
<input type="text" name="code" value="[CODE YOU GOT IN PREV STEP]"/>
<input type="hidden" name="client_id" value="[YOUR CLIENT ID]"/>
<input type="hidden" name="client_secret" value="YOUR CLIENT SECRET"/>
<input type="hidden" name="grant_type" value="authorization_code"/>
<input type="hidden" name="redirect_uri" value="YOUR REDIRECT URL"/>
<input type="submit"/>
</form>
As a result of this you will bet response like:
{
"access_token" : "[HERE YOU ACCESS TOKEN]",
"token_type" : "Bearer",
"expires_in" : 3600,
"id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiMjBlNWMwZGU1YWI0MGRjNTU5ODBkM2EzYmZlNDdlOGM2NGM5YjAifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiY2lkIjoiMjQ2ODg5NjU3NDg2LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiYXVkIjoiMjQ2ODg5NjU3NDg2LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwidG9rZW5faGFzaCI6IjRURGtlQ0MzVWRPZHoyd2k1N2RnaUEiLCJpZCI6IjExNTI0MDk1NDM0Njg1NTU4NjE2MSIsImlhdCI6MTM1MzQwNDQ3MCwiZXhwIjoxMzUzNDA4MzcwfQ.Va98sh9LvMEIWxpRMFkcuFqtDAUfJLN5M__oJyjvmIxQR9q2NUIoocyjqbNyXc7as_ePQYiUjajx0SCumtR4Zhv-exeJfrKA_uMmJTe7jWhK6K2R3JQ2-aIZNnehpEuhYZBXgLhzYz1mlFrLqQTdV6LjDhRPDH-ol4UKWXfbAVE",
"refresh_token" : "[HERE YOUR REFRESH TOKEN]"
}
Now you can store these tokens in your application and use for unlimited time refreshing the access_token every 3600 secs
<form method="POST" action="https://accounts.google.com/o/oauth2/token">
<input type="text" name="refresh_token" value="[YOUR REFRESH TOKEN]"/>
<input type="hidden" name="client_id" value="[YOUR CLIENT ID]"/>
<input type="hidden" name="client_secret" value="[YOUR CLIENT SECRET]"/>
<input type="hidden" name="grant_type" value="refresh_token"/>
<input type="submit"/>
</form>
And each time you make this request you will get a new access_token
{
"access_token" : "[NEW ACCESS TOKEN]",
"token_type" : "Bearer",
"expires_in" : 3600,
"id_token" : "eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiMjBlNWMwZGU1YWI0MGRjNTU5ODBkM2EzYmZlNDdlOGM2NGM5YjAifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiYXVkIjoiMjQ2ODg5NjU3NDg2LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwidG9rZW5faGFzaCI6ImpyYk5oNkRHZFN4Y0w5MUI5Q1hab2ciLCJpZCI6IjExNTI0MDk1NDM0Njg1NTU4NjE2MSIsImNpZCI6IjI0Njg4OTY1NzQ4Ni5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlhdCI6MTM1MzQwNTU5OSwiZXhwIjoxMzUzNDA5NDk5fQ.mGN3EYOX75gPubr3TqWIOBkfq-o3JBXMXx4MbxEBGMSuPdJi7VTqZa4isyR-st-J5_wTtA-j8tVQYnDeZDxj5KpJ14FFQPKTtv_VI5kvuT55KyOmGu4yidciYoffJMISisr8NqiksbemaiYX900sRv6PmoTA6Nf6VtHgj3BZjWo"
}
Best Answer
You are not getting the multi user selection screen because of the following parameter:
authuser=0
This automatically selects the first account you are signed-in with (authuser=1
would select the second etc...).It's currently not possible to remove that param using the client library because the client library sets it automatically to 0 (this is why it claims not to handle multi-accounts) if there is no value so one way is to override it to -1 for example, this will show the multi-account chooser. Then you could also ask to access the user's profile or email at the same time you ask access to other APIs and fetch either the email of the user or its ID. Then on subsequent auth you can specify the
user_id
param which wil bypass the user-selection screen.So in practice, first authorize like this:
The only problem with the above is that the auto-refresh of the client library will not work because every auth will by blocked at the multi-account selection screen.
The trick is to get the ID of the user using the UserInfo API, save that ID in a session cookie and use it on subsequent auth like that:
Specifying the User's ID will make sure the multi-account chooser is bypass and will allow the auto-refresh of the token from the client lib to work again.
For reference, other URL param that impact the User flow are:
user_id
: similar thanauthuser
(bypasses the multi-account selection screen) but you can use email address (e.g. bob@gmail.com) or the User ID you get from our Open ID Connect endpoint/Google+ API/UserInfo APIapproval_prompt
: default isauto
, can be set toforce
to make sure that the approval/grant screen gets shown. This makes sure that the gant screen is not bypassed on subsequent auth (after first time).immediate
:immediate
is a bit tricky, when set totrue
it will bypass the grant screen (kinda likeapproval_prompt=auto
) if the user already granted approval previously, but if the user has not granted approval previously you will get redirected with an error:error=immediate_failed
. If set tofalse
it won't add special behavior and therefore fallback on the behavior setup by theapproval_prompt
value.Note:
immediate=true
andapproval_prompt=force
is an invalid combination.I think the client library is using the
immediate
param so that if he gets theerror=immediate_failed
it will restart an auth flow without theauthuser
param, but that's only speculations :)